To who do I need to delegate?
Well, this is a very generic and difficult question to answer, or at least it is without having several more following it. We need to identify any person who is making a change within Active Directory, excluding of course typical standard changes as “Changing my own password”.
In smaller scenarios a simple division within operations (reboot a computer, backup and restore data, reset and unblock user, etc,) and administration (create users, groups, access rights, etc.) might be sufficient.
But for larger organizations there might be several teams for each area:
- one group is in charge of granting and revoking access
- a different team manages the user provisioning
- several teams take care of desktops and laptops
- several teams are responsible for the servers
- individual teams are responsible for the infrastructure
Here is the Business who will dictate who is responsible of any assigned task, if the task is feasible. In other words, we should be able to identify the persons, or group of persons, who assign to run a task against the directory.